Where are all the GDPR Prosecutions?
In last year’s ‘Trends for 2018’ whitepaper we discussed the impact GDPR was likely to have on the video surveillance industry. One year on, we assess the situation going into 2019.
Even those reading this from outside the EU will no doubt have seen a flurry of GDPR related emails asking them to update their marketing preferences for various mail lists around May 2018. For many, this will have been the limit of their experience with GDPR. Judging by the large number of emails with tweaked privacy policies, GDPR certainly invoked action from many companies, so with apparent widespread compliance regarding marketing data, what about video surveillance?
Well, for video surveillance systems, the evidence for compliance with GDPR regulations is much less obvious. GDPR replaced the privacy regulations of EU member states, some of which had no specific requirements for video surveillance, some of which did have specific requirements (for example, requiring signing of video surveillance recording and a dedicated contact or data controller). Nevertheless, many of the GDPR requirements applying to video surveillance technology still seem shrouded in ambiguity.
Some video surveillance vendors have marketed features and solutions for ‘privacy by default’ which is a principle of GDPR. These product features include automated image masking video analytics and greater control of user permissions. However, despite some marketing claims to the contrary, there are no official ‘GDPR compliant’ products.
The responsibility to police GDPR principally rests with each EU member states’ data protection authority. Over 6 months on from the introduction of GDPR there have still been few test cases which have proceeded to prosecutions or fines. Also, despite some complaints and investigations, to our knowledge there have still been no prosecutions or fines related to video surveillance. An issue faced by the data protection authorities will be the public’s increased awareness of privacy regulations and consequently the volume of complaints they now must investigate. This is likely to have put increased pressure on their resources.
Large fines for those found to be in breach of GDPR rightly remain as a deterrent to non-compliance and can promote self-policing of the regulations. However, there remains potential for a class action style compensation campaign against a data breach or deliberate misuse. If this type of action occurs it is most likely to be against a large organization with many affected users such as a social network organization, bank or retailer. If successful, this could lay the foundations for smaller cases such as those likely for video surveillance. Yet, this is still speculative. As we start 2019, the actual impact of GDPR on the video surveillance industry has been small.
The hype surrounding the introduction of GDPR and the growing number of high profile data-breach scandals has put privacy protection at the forefront of many user agendas. Video surveillance vendors which are perceived to be proactively confronting privacy concerns and promoting ethical data use will be well placed to succeed should GDPR regulation have more bite in 2019.